Sussex Police suffer multiple breaches into police and public data

An external police network was breached over the Christmas period allowing for personal information of police officers and members of the public to be illegally accessed.

According to the Eastbourne Herald, Sussex Police is investigating security breaches of its external website which occured over the Christmas period. It found that there were three breaches within a contained area of the website and could possibly be linked.

Amaraghosha Carter, joint head of IT for Surrey and Sussex police forces, said: “A full investigation is underway to identify the source of the breaches and their impact. Those responsible have obtained email addresses of a number of officers and personal email addresses of some members of the public who have used the services of our website.

“Communications staff have contacted around 270 people who may have been affected, in particular to give them security advice in relation to their passwords for our community messaging service. Our website is entirely separate to those systems used to investigate crime.”

They also confirmed that the activity had not impacted on any other force IT, web or telephony systems and operational response is unaffected.

“There has been no impact on our service to the public. Measures are being put in place to ensure that the security of the website is not compromised further.

“Work is being carried out to ensure that all our IT systems remain resilient and secure and an investigation is under way to find those responsible.”

Commenting, Lancope CTO TK Keanini admitted that “everyone is a target”, especially following the compromise of a bus website last week.

He said: “The problem fundamentally is a race in knowledge: the criminals understand information technology better than law enforcement. Then it will go back the other way and back and forth we go as both of these crafts are brought into the information age.

“Law enforcement needs to not make information technology someone else’s job, but embrace it into their craft as information technology is woven in to our everyday lives.”

Keanini said that the statement about the networks being separate is good if it is true, but processes and detection must be put in place to ensure this is done on a minute by minute basis.

“Networks have a tendency to jump barriers and in this connected world, someone will make a mistake, or the adversary will find a way to connect two disparate networks and those statements of separation are no longer true,” he said. “If we want to protect data, we must employ encryption so that even when the data is in someone’s possession, it is still not available to the wrong person.”